VMware adopts an 'intrinsic security' approach

VMware is bolstering its security range by introducing vSphere Platinum, a new iteration of its virtualisation software that has security integrated into the hypervisor, and unites vSphere's native security capabilities with AppDefense, the company's data centre endpoint security solution.

At VMworld 2018, in Barcelona, this morning, VMware CEO Pat Gelsinger said: "VMware vSphere now has AppDefense built right in."

AppDefense was released a year ago, and was designed to protect applications running in virtualised environments. It employs machine learning and behavioural analytics to understand how an application should behave, and then detects threats by monitoring for anomalous behaviours and changes to the application's intended state.

The Platinum edition combines vSphere's native security capabilities with AppDefense. It was designed with the aim of helping vSphere administrators deliver more secure applications and infrastructure by allowing virtual machines (VMs) to run in a "known good" state.

"Visibility into application behaviour allows organisations to boost their threat detection and response capabilities," the company says.

AppDefense lets businesses see what the purpose of each VM is and tells the system what it is allowed to do. This significantly shrinks the attack surface without any negative impact on operations or performance.

Powerful, profound

Gelsinger said the capability is "powerful and profound", and VMware wants users to be able to leverage it everywhere, which is why it is being built directly into vSphere.

"I like to think of it as the 'burger and fries'. Nobody leaves the restaurant without fries. Who would consider running a VM in the future without turning on security? That's how we want this to work going forward," he added.

According to Gelsinger, VMware sees enterprises making a shift from point security tools to security that's embedded in infrastructure. "The highest spend is on security, and the cost of breaches today is more than that spend. We need to turn the industry on its head and think about security in a fundamentally different way. We need to change to 'intrinsic' security."

He says a bolt-on approach means 'chasing bad'. "The weakest link becomes the only link that matters. We looked at micro-segmentation; this model changed everything, and added many layers to security. Think about a bank: if the locked door is breached, you still need to get through several other doors."

Adaptive micro-segmentation

Alongside the introduction of vSphere Platinum, VMware also improved its micro-segmentation offering with what it calls 'adaptive micro-segmentation'.

Micro-segmentation is a way of creating secure 'pockets' in data centres and cloud deployments, which allows businesses to isolate workloads from each other and secure them individually, with the aim of reducing the attack surface.

Companies can formulate policies that limit network and application flows between workloads to those that are explicitly allowed, decreasing the risk of a threat actor moving from one compromised workload or application to the next.

"VMware has discussed micro-segmentation at the network level for around five years, and it has become a key part of our NSX networking and security platform. Now, adaptive micro-segmentation brings segmentation up the stack from the network level to include the application layer, bringing VMware's network products, namely NSX and vRealize Network Insight for operations management, closer together with AppDefense," Gelsinger explains.

When the solutions work together, they can pinpoint the composition and intended behaviour of an application, align policy to the application, and lock down the workload and network elements of said application. Moreover, the technologies can automatically rework compute and network security policy to address any application component changes as and when they happen.